Electronic unit provided in a microcircuit card and including cryptographic means for high-speed data processing

ABSTRACT

An electronic unit includes a processor (P), an input-output device ( 18 ) and a cryptographic device ( 14 ). The unit is directly connected by two-way data transmission ( 20 ) set up between the input-output device and the cryptographic device, the electronic unit being integrated in a microcircuit card.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to an electronic unit comprising a processor, datainput-output means, and cryptographic means; it relates moreparticularly to a new arrangement of these subsystems that speeds up thecryptographic processing of certain data.

2. Description of the Related Art

One prior art electronic unit incorporating cryptographic means is basedon a processor associated with different memories (RAM, ROM and EEPROM,for example) and connected to input-output means. The processor isconnected to the cryptographic means via a memory register. Thecryptographic means generally comprise electronic circuits dedicated tocryptographic calculations and specifically designed to carry out thosecalculations very quickly. The operations carried out are, for example,encryption and decryption operations using a DES protocol. In the fieldof microcircuit cards, there exist very light cryptographic unitscontaining of the order of 5 000 logic gates capable of carrying out DEScalculations in just 16 clock pulses. By comparison, copying 8 bytesinto a register necessitates 48 clock pulses (8 bytes is the length of aword in DES encryption). The input-output means comprise a UARTinterface, for example, exchanging information with devices external tosaid electronic unit in accordance with the ISO7816 or Universal SerialBus (USB) protocol. The UART interface comprises a register. Prior artcryptographic means (usually referred to as a cryptographic calculationunit) are connected directly to the processor, which manages all aspectsof the transfer of the data to be encrypted or decrypted to thecryptographic means, the execution of the encrypting/decryptingoperations, and the sending of the results back to the input-outputmeans. Clearly this mode of operation, which monopolizes the processorin each step, is relatively slow and involves a relatively highconsumption of energy. The invention overcomes these drawbacks.

BRIEF SUMMARY OF THE INVENTION

The invention relates more particularly to an electronic unit comprisinga processor, data input-output means and cryptographic means,characterized by a direct bidirectional data transmission connection setup between said input-output means and said cryptographic means, saidelectronic unit being provided in a microcircuit card.

It also relates to a microcircuit card including this kind of electronicunit.

To provide the direct connection, the input-output means and thecryptographic means may share a common memory space. This may be thememory register conventionally associated with the cryptographic means.

The input-output means advantageously comprise a send-receive unit, forexample a UART, and a direct connection is set up between saidsend-receive unit and the memory register of the cryptographic means.

In one embodiment, the send-receive unit includes means for routing datato said cryptographic means. In other words, in a simple manner thatwill be evident to the person skilled in the art the UART may becomplemented by “routing means” for sending the data to the memoryregister and then to the cryptographic calculation unit, once theinformation has been identified as relating to cryptographic processing,the input-output means also including means for identifying suchinformation.

On the other hand, if the UART send-receive unit is not designed todrive the cryptographic means directly, the processor, which isconnected to the cryptographic means, may be programmed to set up saiddirect connection in response to a message sent by said input-outputmeans. In this case, the role of the processor is limited to identifyingthe appearance of a series of data to which cryptographic processingrelates and setting up said direct connection so that the information isrouted directly to the cryptographic means and sent back to theinput-output means after processing.

According to other preferred features of the invention, which may whereapplicable be combined:

-   -   the processor comprises means for sending keys to the        cryptographic means, selecting an encryption or decryption mode        of operation, and sending an instruction for initiating        cryptographic processing;    -   it comprises two input-output means;    -   it includes means for processing a digital data stream;    -   the processing means are adapted to effect encryption or        decryption processing.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

The invention will be better understood and other advantages will becomemore clearly apparent in the light of the following description of aplurality of embodiments of an electronic unit conforming to theprinciple of the invention, provided by way of example only and givenwith reference to the appended drawings, in which:

FIG. 1 is a block diagram of a prior art electronic unit;

FIG. 2 is a block diagram analogous to FIG. 1 showing one embodiment ofan electronic unit according to the invention;

FIG. 3 shows a variant of the electronic unit conforming to theinvention;

FIG. 4 is diagram showing input data and output data for one embodimentof the invention; and

FIG. 5 is a diagram showing input data and output data for anotherembodiment of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The prior art electronic unit 11 shown in FIG. 1 consists mainly of aprocessor P that is associated in the conventional way with a certainnumber o-f memories (RAM, ROM, EEPROM), cryptographic means 14comprising a cryptographic calculation unit 15 and a memory register 16,and input-output means 18 connected to a network, for example. Theinput-output means 18, enabling the electronic unit to communicate witha network or an external electronic entity, essentially comprise anasynchronous send-receive unit known as a UART. The cryptographic means14 are also connected to the processor via the memory register 16. Theother memories connected to the processor are conventional. There are,for example, a random access memory RAM, a read only memory ROM, and anon-volatile memory EEPROM.

When the electronic unit receives via the UART data that must besubjected to cryptographic processing (encryption, decryption, etc.),the UART sends an interrupt message to the processor P which then readsthe register of the UART and copies the data into RAM. The processorthen initializes the cryptographic means, in particular supplying thenecessary keys to the cryptographic unit 15. The processor P then readsthe data to be processed in the RAM and copies it into the register 16,after which it initiates the calculation by the cryptographic unit. Inorder to be communicated to the external network, the result calculatedby the cryptographic unit is then read in the register 16 and copiedinto the UART register by the processor P. The results are rewritteninto the register 16, read by the processor, and sent to the network viathe UART.

This mode of operation is not suitable for cryptographic processing bythe electronic unit at high data bit rates. The operation carried out bythe processor P of copying the data into an intermediate RAM area beforeprocessing by the cryptographic unit represents a particular burden.Now, the requirement is to increase the cryptographic calculationcapability of an electronic unit of this kind in order to be able toprocess large and continuous data streams in real time.

For example, it is now required to decrypt in real time digital datarepresentative of sound. Such data is compressed according to the MP3standard and transmitted at a bit rate of 128 kbit/s. The electronicunit for decrypting the data in real time must therefore be able toabsorb and process information at a high bit rate. Furthermore, becausethe electronic unit described hereinafter may advantageously beaccommodated inside a microcircuit card, this kind of cryptographicprocessing is made more secure by virtue of the simple fact that thedecryption key(s) never leave the card.

To this end, a direct bidirectional data transmission connection is setup between the input-output means (i.e. typically the UART send-receiveunit) and the cryptographic means. The arrangement depicted in FIG. 2may be used, for example.

The UART send-receive unit is connected to the processor which isconventionally associated with various memories (RAM, ROM, EEPROM), asin FIG. 1. Moreover, and as previously, the electronic unit comprisescryptographic means 14 including a cryptographic calculation unit 15associated with a memory register 16. The processor is connected to thecryptographic means via the memory register. However, a directbidirectional data transmission connection 20 is also set up between theUART input-output means and the cryptographic means, in this example thesame memory register 16.

The send-receive unit ideally comprises means for routing data to thecryptographic means. In other words, this unit is adapted to analyzeinformation sent by the external network and recognize information to besubjected to cryptographic processing. Once this recognition has beeneffected, the input-output means route the information directly to thememory register 16 of the cryptographic means. The processor sends thekeys to the cryptographic means, defines the mode of operation (forexample encryption or decryption, with or without chaining) and sends aninstruction for initiating the cryptographic processing. During thistime, i.e. after launching the cryptographic processing, the processoris no longer operative in the cryptographic process or even in thetransfer of the results to the exterior; this reduces power consumption.Security is also enhanced since the information is no longer stored inthe memory connected to the processor.

In other words, this send-receive unit comprises means for setting up adirect connection with the cryptographic means.

Those means are rudimentary, with little intelligence, since a smartcard is used and the components must therefore be relatively simple andof moderate cost. Thus above all there is no question of using a commandinterpreter. The UART is not capable of interpreting commands receivedvia the I/O port.

If the UART send-receive unit is not designed to detect for itself asequence to which the cryptographic processing applies, that functionmay be handled by the processor P without excessive loss of time. Forexample, the first packet of a message intended to undergo cryptographicprocessing could describe the content of subsequent packets. In thiscase, on receiving this first packet, the processor is able to command“routing”, i.e. setting up the direct bidirectional data transmissionconnection 20 between the input-output means and the cryptographic meansfor the time necessary to receive and/or send back the informationprocessed by the cryptographic means. The microprocessor P decides toset up this direct connection in order to optimize the processing speedfor processing a large data stream.

In the FIG. 3 device, in which subsystems analogous to those of FIG. 1carry the same reference numbers, information concerning cryptography isseparated from other data. The input-output means 18HD connected to ahigh bit rate port are this time exclusively and directly connected tothe cryptographic means (by the direct connection 20); the otherinformation is sent to other input-output means 22 and reaches theprocessor via another send-receive unit, for example a UART. Thus theprocessor is able to communicate with a server in parallel via a“standard” port, the cryptographic data being sent via a high bit rateport, for example a USB port. Thus no routing is necessary.

FIGS. 4 and 5 are diagrams depicting data formats that may be processedin accordance with the invention.

Thus in FIG. 4 the input receives an encrypted data packet (2048 bits)preceded by a keyword 1 and followed by a keyword 2 and a decrypted datapacket (2048 bits) is obtained at the output.

By means of security mechanisms (for example authentication of thesender and where applicable exchange of keys), the processor authorizesdecryption of the next data packet received. The processor sends thedecryption key to the cryptographic calculation unit 15 and sends theinstruction for initiating the processing. The processor also sends amessage directly to the UART in order for the latter to route the datapackets directly to the cryptographic calculation unit 15 when itrecognizes the keyword 1 and to stop sending data to the cryptographiccalculation unit 15 when it recognizes the keyword 2. The cryptographiccalculation unit 15 then decrypts the data packet. The result of thecalculation is then communicated directly to the exterior of the card bythe UART.

In FIG. 5, encrypted and decrypted data packets are present at the inputand the output, respectively.

By means of security mechanisms (for example authentication of thesender and where applicable exchange of keys), the processor authorizesdecrypting of the next data packet received, and knows in advance thatthis will occupy 2048 bits. The processor sends the decryption key tothe cryptographic calculation unit 15 and sends the instruction forinitiating the processing. The processor also sends a message to theUART so that the latter routes the next 2048 data bits received directlyto the cryptographic calculation unit 15 and sends the 2048 bits of theresult of the cryptographic processing from the output of thecryptographic calculation unit 15 to the exterior of the card and thenroutes the data at the input of the UART directly to the processoragain.

The invention claimed is:
 1. A cryptographic processing method within anelectronic entity comprising a processor, a data input-output elementand a cryptographic element, said method comprising the steps ofidentifying within said electronic unit a sequence to be subjected tocryptographic processing in incoming data received by said input-outputelement; setting up a direct bidirectional data transmission connectionbetween said input-output element and said cryptographic element so asto route said sequence directly from said input-output element to thecryptographic element; sending from the processor to the cryptographicelement an instruction for initiating cryptographic processing on saidrouted sequence with keys sent by the processor according to anencryption or decryption mode of operation selected by the processor;and applying said cryptographic processing to said sequence according tosaid information received from said processor, wherein decryption key(s)never leave the card.
 2. The method of claim 1, wherein said identifyingstep is applied by said input-output element.
 3. The method of claim 1,wherein said identifying step is applied by said processor on a messagetransmitted by the data input-output element.
 4. The method of claim 1,wherein the sequence to be subjected to cryptographic processingcomprise encrypted data to be encrypted/decrypted in real time, suchencrypted data being representative of sound.
 5. A microcircuit card,comprising an electronic unit comprising: a data input-output elementcomprising a UART send-receive unit, a cryptographic element comprisinga memory register, a processor connected to the data input-outputelement and to the cryptographic element, and configured, when detectinginformation to be subjected to a cryptographic processing in a messagesent by said input-output element, to set up a direct connectionbidirectional data transmission connection between the data input-outputelement and the memory register of the cryptographic element for routingsuch information directly from the UART to the cryptographic element,and to send to this cryptographic element an instruction and a key forinitiating cryptographic processing of this information according to anencryption or decryption mode selected by the processor, the key(s)never leaving the card, whereby information received by the datainput-output element is enabled by the processor to be routed by theUART send-receive unit directly to the cryptographic element where it issubjected to a cryptographic processing defined by the processor.
 6. Themicrocircuit card of claim 5, wherein the microcircuit card constitutesa device for decrypting encrypted data in real time, such encrypted databeing representative of sound.
 7. The microcircuit card of claim 5,including a processing element adapted to effect encryption ordecryption processing on a digital data stream.
 8. The microcircuit cardof claim 5, wherein the processor is configured to send, in response tosaid message, the decryption key(s) to the cryptographic element and amessage to the input/output element in order to route to thecryptographic element data packets recognized between successivekeywords, and the decryption key(s) are provided independent of thedata.
 9. A microcircuit card, comprising an electronic unit comprising:a cryptographic element comprising a memory register, a datainput-output element comprising a UART send-receive unit, configured toanalyze information received from the exterior and recognize informationto be subjected to a cryptographic processing, and to set up a directbidirectional data transmission connection with the memory registerwhereby said information to be subjected to a cryptographic processingis routed to the memory register, a processor connected to the datainput-output element and to the cryptographic element, and configured tosend to the cryptographic element a key, to select an encryption ordecryption mode of operation and to send to this cryptographic elementan instruction for initiating cryptographic processing according to aselected encryption or decryption mode, after the date input-outputelement has recognized the information to be subjected to thecryptographic processing, the key never leaving the card, wherebyinformation recognized to be subjected to a cryptographic processing isrouted directly to the cryptographic element where it is subjected to acryptographic processing defined by the processor.
 10. The microcircuitcard of claim 9, wherein said send-receive unit comprises a device forrouting data to said cryptographic element.
 11. The microcircuit card ofclaim 9, wherein said input-output element is dedicated to certaininformation intended to be processed by said cryptographic element,other input-output elements being connected to said processor forprocessing other information.
 12. The microcircuit card of claim 9,wherein the microcircuit card constitutes a device for decryptingencrypted data in real time, such encrypted data being representative ofsound.
 13. A microcircuit card, comprising: a processor, a datainput-output element comprising a UART send-receive unit and connectedto the processor, and a cryptographic element comprising a memoryregister connected to said processor connected to the processor, saidcryptographic element being further connected to said data input-outputelement by a direct bidirectional data transmission connection betweensaid UART send-receive unit of the input-output element and said memoryregister of the cryptographic element, the processor and the datainput-output being configured so that, when information on data to besubjected to a cryptographic processing is recognized in the card, adirect transmission of said data is then set up through said directconnection for transmitting said data directly to said cryptographicelement, and at least a key and an instruction are sent by the processorto the co-processor for initiating cryptographic processing of said dataaccording to a selection mode of encryption or decryption, key(s) neverleaving the card, whereby said data directly transmitted to saidcryptographic element is subjected in said cryptographic element to acryptographic processing defined by said processor.
 14. The microcircuitcard of claim 13, wherein said UART send-receive unit comprises anelement configured for recognizing said data to be subjected to acryptographic processing and for routing this data directly to saidcryptographic element.
 15. The microcircuit card of claim 13, whereinsaid processor is adapted to detect a message intended to undergocryptographic processing and, as a consequence, to set up said directconnection for the time necessary to receive and/or send back the dataprocessed by the cryptographic element.
 16. The microcircuit of claim13, wherein said cryptographic element is adapted to decryptingencrypted data in real time.
 17. The microcircuit card of claim 13,including a processing element configured for processing a digital datastream.
 18. The microcircuit card of claim 17, wherein said processingelement is adapted to process in real time digital data representativeof sound.
 19. The microcircuit card of claim 13, wherein said UARTsend-receive unit is adapted to exchange with external devices inaccordance with either an ISO7816 or USB protocol.
 20. The microcircuitcard of claim 13, wherein the microcircuit card constitutes a device fordecrypting encrypted data in real time, such encrypted data beingrepresentative of sound.